From my read of the design, it doesn’t look like the proxy design provides a secure way of front-ending an application that won’t allow someone with network access behind the proxy to access the application either without authentication or by impersonating any user since the design appears to rely on HTTP headers set with identity information sent to the backend application.

Hi, We've got the Keycloak Security Proxy (official one - https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html) running and passing to an nginx proxy which is in turn proxying out different apps, ie: [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse Proxy] ------> [application] Where [] denotes a different box, the ProxyBox is hostname.domain and the apps are published as hostname.domain/appname However, the client is able to access the application without authentication, we have clients and roles set up in keycloak and the config looks ok (although obviously isn't!) Are there any KeyCloak Proxy logs we can look at, or debugging options? I haven't found any as yet andnothing is jumping out of the config. We can access the back end apps ok either from the Keycloak proxy running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, this latter connection will be restricted to localhost when it's working!). The keycloak proxy config is very similar to the default except the values from the keycloak installation GUI have been pasted in. Any troubleshooting tips would be much appreciated! thanks in advance:) Guy _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

The idea of the proxy is that the secured app doesn't have to have a plugin. The secured app is supposed to be on a private network and the proxy sits on a public one. On 5/13/16 11:52 AM, Jason Axley wrote: > From my read of the design, it doesn’t look like the proxy design provides a secure way of front-ending an application that won’t allow someone with network access behind the proxy to access the application either without authentication or by impersonating any user since the design appears to rely on HTTP headers set with identity information sent to the backend application. > > A better design would have been to pass the actual Id Token to the backend application so that the backend application can actually verify the identity signature on the JWT so that someone can’t just fabricate arbitrary identity information. I would think this could work in concert with an application plugin that could consume these tokens and validate and make the identity information available to the application in a trustworthy manner. > > -Jason > > On 5/13/16, 8:00 AM, &quot;keycloak-user-bounces(a)lists.jboss.org on behalf of Guy Bowdler" <keycloak-user-bounces(a)lists.jboss.org on behalf of guybowdler(a)dorsetnetworks.com&gt; wrote: > >> Hi, >> >> We've got the Keycloak Security Proxy (official one - >> https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html) >> running and passing to an nginx proxy which is in turn proxying out >> different apps, ie: >> >> [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse Proxy] >> ------> [application] >> >> Where [] denotes a different box, the ProxyBox is hostname.domain and >> the apps are published as hostname.domain/appname >> >> >> However, the client is able to access the application without >> authentication, we have clients and roles set up in keycloak and the >> config looks ok (although obviously isn't!) >> >> Are there any KeyCloak Proxy logs we can look at, or debugging options? >> I haven't found any as yet andnothing is jumping out of the config. >> >> We can access the back end apps ok either from the Keycloak proxy >> running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, this >> latter connection will be restricted to localhost when it's working!). >> The keycloak proxy config is very similar to the default except the >> values from the keycloak installation GUI have been pasted in. >> >> Any troubleshooting tips would be much appreciated! >> >> thanks in advance:) >> >> Guy >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

The idea of the proxy is that the secured app doesn't have to have a plugin. The secured app is supposed to be on a private network and the proxy sits on a public one. On 5/13/16 11:52 AM, Jason Axley wrote: > From my read of the design, it doesn’t look like the proxy design provides a secure way of front-ending an application that won’t allow someone with network access behind the proxy to access the application either without authentication or by impersonating any user since the design appears to rely on HTTP headers set with identity information sent to the backend application. > > A better design would have been to pass the actual Id Token to the backend application so that the backend application can actually verify the identity signature on the JWT so that someone can’t just fabricate arbitrary identity information. I would think this could work in concert with an application plugin that could consume these tokens and validate and make the identity information available to the application in a trustworthy manner. > > -Jason > > On 5/13/16, 8:00 AM, &quot;keycloak-user-bounces(a)lists.jboss.org on behalf of Guy Bowdler" <keycloak-user-bounces(a)lists.jboss.org on behalf of guybowdler(a)dorsetnetworks.com&gt; wrote: > >> Hi, >> >> We've got the Keycloak Security Proxy (official one - >> https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html) >> running and passing to an nginx proxy which is in turn proxying out >> different apps, ie: >> >> [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse Proxy] >> ------> [application] >> >> Where [] denotes a different box, the ProxyBox is hostname.domain and >> the apps are published as hostname.domain/appname >> >> >> However, the client is able to access the application without >> authentication, we have clients and roles set up in keycloak and the >> config looks ok (although obviously isn't!) >> >> Are there any KeyCloak Proxy logs we can look at, or debugging options? >> I haven't found any as yet andnothing is jumping out of the config. >> >> We can access the back end apps ok either from the Keycloak proxy >> running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, this >> latter connection will be restricted to localhost when it's working!). >> The keycloak proxy config is very similar to the default except the >> values from the keycloak installation GUI have been pasted in. >> >> Any troubleshooting tips would be much appreciated! >> >> thanks in advance:) >> >> Guy >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

FYI I haven't touched this code in more than a year and have been relying on the community to maintain it. Why? Well, we're not supporting it in product and Apache plugins like mod-auth-mellon and mod-auth-oidc exist. We're also talking to other teams like API Man to see if we can offload the proxy on them. Anyways, sounds like lame excuses...I know you just want answers... On 5/13/16 4:33 PM, Guy Bowdler wrote: Also, you just need to configure and back end proxy only to accept connections from the key cloak proxy to secure, we've just left it open for now to troubleshoot On 13 May 2016 19:58:47 BST, Bill Burke <bburke(a)redhat.com&gt; wrote: The idea of the proxy is that the secured app doesn't have to have a plugin. The secured app is supposed to be on a private network and the proxy sits on a public one. On 5/13/16 11:52 AM, Jason Axley wrote: From my read of the design, it doesn’t look like the proxy design provides a secure way of front-ending an application that won’t allow someone with network access behind the proxy to access the application either without authentication or by impersonating any user since the design appears to rely on HTTP headers set with identity information sent to the backend application. A better design would have been to pass the actual Id Token to the backend application so that the backend application can actually verify the identity signature on the JWT so that someone can’t just fabricate arbitrary identity information. I would think this could work in concert with an application plugin that could consume these tokens and validate and make the identity information available to the application in a trustworthy manner. -Jason On 5/13/16, 8:00 AM, &quot;keycloak-user-bounces(a)lists.jboss.org on behalf of Guy Bowdler" <keycloak-user-bounces(a)lists.jboss.org on behalf of guybowdler(a)dorsetnetworks.com&gt; wrote: Hi, We've got the Keycloak Security Proxy (official one - https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html ) running and passing to an nginx proxy which is in turn proxying out different apps, ie: [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse Proxy] ------> [application] Where [] denotes a different box, the ProxyBox is hostname.domain and the apps are published as hostname.domain/appname However, the client is able to access the application without authentication, we have clients and roles set up in keycloak and the config looks ok (although obviously isn't!) Are there any KeyCloak Proxy logs we can look at, or debugging options? I haven't found any as yet andnothing is jumping out of the config. We can access the back end apps ok either from the Keycloak proxy running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, this latter connection will be restricted to localhost when it's working!). The keycloak proxy config is very similar to the default except the values from the keycloak installation GUI have been pasted in. Any troubleshooting tips would be much appreciated! thanks in advance:) Guy keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

I'm using the proxy in one of my environments and it definitely is requiring authentication. The logs are pretty poor, so debugging is a pain. Two possibilities come to mind: First, are you sure you haven't already authenticated? If you look at the network activity in your browser, are you redirected to keycloak then directed back to your app? Second, have you set constraints in the proxy config? Do those constraints (starting at your configured base path) match the urls you are trying to hit? Bill: As far as I am aware, neither of those httpd modules are supported by us either. A supported option for getting SSO in front of legacy apps is step 1 of getting in the door at clients. If we do end up telling customers to use an apache module, adding generated config for them to the web ui would really help. Chris Pitman Senior Architect, Red Hat Consulting ----- Original Message ----- > > > FYI I haven't touched this code in more than a year and have been > relying on > the community to maintain it. Why? Well, we're not supporting it in > product > and Apache plugins like mod-auth-mellon and mod-auth-oidc exist. We're > also > talking to other teams like API Man to see if we can offload the proxy > on > them. Anyways, sounds like lame excuses...I know you just want > answers... > > On 5/13/16 4:33 PM, Guy Bowdler wrote: > > > Also, you just need to configure and back end proxy only to accept > connections from the key cloak proxy to secure, we've just left it > open for > now to troubleshoot > > On 13 May 2016 19:58:47 BST, Bill Burke <bburke(a)redhat.com&gt; wrote: > > > The idea of the proxy is that the secured app doesn't have to have a > plugin. The secured app is supposed to be on a private network and > the > proxy sits on a public one. > > > On 5/13/16 11:52 AM, Jason Axley wrote: > > From my read of the design, it doesn’t look like the proxy design > provides a > secure way of front-ending an application that won’t allow someone > with > network access behind the proxy to access the application either > without > authentication or by impersonating any user since the design appears > to rely > on HTTP headers set with identity information sent to the backend > application. > > A better design would have been to pass the actual Id Token to the > backend > application so that the backend application can actually verify the > identity signature on the JWT so that someone can’t just fabricate > arbitrary identity information. I would think this could work in > concert > with an application plugin that could consume these tokens and > validate and > make the identity information available to the application in a > trustworthy > manner. > > -Jason > > On 5/13/16, 8:00 AM, &quot;keycloak-user-bounces(a)lists.jboss.org on behalf > of Guy > Bowdler" <keycloak-user-bounces(a)lists.jboss.org on behalf of > guybowdler(a)dorsetnetworks.com&gt; wrote: > > Hi, > > We've got the Keycloak Security Proxy (official one - > > https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html > ) > running and passing to an nginx proxy which is in turn proxying out > different apps, ie: > > [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx > Reverse Proxy] > ------> [application] > > Where [] denotes a different box, the ProxyBox is hostname.domain and > the apps are published as hostname.domain/appname > > > However, the client is able to access the application without > authentication, we have clients and roles set up in keycloak and the > config looks ok (although obviously isn't!) > > Are there any KeyCloak Proxy logs we can look at, or debugging > options? > I haven't found any as yet andnothing is jumping out of the config. > > We can access the back end apps ok either from the Keycloak proxy > running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, > this > latter connection will be restricted to localhost when it's > working!). > The keycloak proxy config is very similar to the default except the > values from the keycloak installation GUI have been pasted in. > > Any troubleshooting tips would be much appreciated! thanks in > advance:) > > Guy > keycloak-user mailing list keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user mailing list keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user mailing list keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Sent from my Android device with K-9 Mail. Please excuse my > brevity. > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user

The idea of the proxy is that the secured app doesn't have to have a plugin. The secured app is supposed to be on a private network and the proxy sits on a public one. On 5/13/16 11:52 AM, Jason Axley wrote: > From my read of the design, it doesn’t look like the proxy design provides a secure way of front-ending an application that won’t allow someone with network access behind the proxy to access the application either without authentication or by impersonating any user since the design appears to rely on HTTP headers set with identity information sent to the backend application. > > A better design would have been to pass the actual Id Token to the backend application so that the backend application can actually verify the identity signature on the JWT so that someone can’t just fabricate arbitrary identity information. I would think this could work in concert with an application plugin that could consume these tokens and validate and make the identity information available to the application in a trustworthy manner. > > -Jason > > On 5/13/16, 8:00 AM, &quot;keycloak-user-bounces(a)lists.jboss.org on behalf of Guy Bowdler" <keycloak-user-bounces(a)lists.jboss.org on behalf of guybowdler(a)dorsetnetworks.com&gt; wrote: > >> Hi, >> >> We've got the Keycloak Security Proxy (official one - >> https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html) >> running and passing to an nginx proxy which is in turn proxying out >> different apps, ie: >> >> [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse Proxy] >> ------> [application] >> >> Where [] denotes a different box, the ProxyBox is hostname.domain and >> the apps are published as hostname.domain/appname >> >> >> However, the client is able to access the application without >> authentication, we have clients and roles set up in keycloak and the >> config looks ok (although obviously isn't!) >> >> Are there any KeyCloak Proxy logs we can look at, or debugging options? >> I haven't found any as yet andnothing is jumping out of the config. >> >> We can access the back end apps ok either from the Keycloak proxy >> running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, this >> latter connection will be restricted to localhost when it's working!). >> The keycloak proxy config is very similar to the default except the >> values from the keycloak installation GUI have been pasted in. >> >> Any troubleshooting tips would be much appreciated! >> >> thanks in advance:) >> >> Guy >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Jason, Thanks for your input. Rest assured this all under consideration, especially the authorisation side of things. The keycloak proxy does look like it exposes key fields in headers that are otherwise quite tricky to extract by other means and that can be easily processed by the application. Ensuring that no header manipulation may be trickier, but there should be some signing in the JWT our devs can check against Guy Bowdler Dorset Networks 01202 694966 | 07793 290798 | www.dorsetnetworks.com <http://www.dorsetnetworks.com> Website and email hosting | Computer Networks > On 17 May 2016, at 18:42, Jason Axley <jaxley(a)expedia.com > <mailto:jaxley@expedia.com>> wrote: > > Not requiring a plugin is a fine design goal, but the applications > must have custom code to at least extract the user’s identity > information from the HTTP requests. It would be best design approach > to actually provide the application with *verifiable* identity > information in the form of the JWT that can be verified with a plugin > or inside the same set of application code that is responsible for > extracting the identity for the request. > > Perhaps since the access token is sent along as KEYCLOAK_ACCESS_TOKEN > so the server could request the JWT if they knew the URL? I would be > sure to document how integrating applications behind the proxy should > securely integrate and validate the identity information, otherwise > apps won’t do this securely. > > Secure design necessitates replacing assumptions with controls > wherever possible. Assumptions such as “there is no bad guy on my > network” are pretty devastating to security and in practice > impossible to ensure but a control such as “attackers cannot forge > JWT tokens“ are much more robust and easy to reason about. > > -Jason > > On 5/13/16, 11:58 AM, &quot;keycloak-user-bounces(a)lists.jboss.org > <mailto:keycloak-user-bounces@lists.jboss.org> on behalf of Bill > Burke" <keycloak-user-bounces(a)lists.jboss.org > <mailto:keycloak-user-bounces@lists.jboss.org> on behalf of > bburke(a)redhat.com <mailto:bburke@redhat.com>> wrote: > >> The idea of the proxy is that the secured app doesn't have to have a >> plugin. The secured app is supposed to be on a private network and the >> proxy sits on a public one. >> >> >> On 5/13/16 11:52 AM, Jason Axley wrote: >>> From my read of the design, it doesn’t look like the proxy design >>> provides a secure way of front-ending an application that won’t >>> allow someone with network access behind the proxy to access the >>> application either without authentication or by impersonating any >>> user since the design appears to rely on HTTP headers set with >>> identity information sent to the backend application. >>> >>> A better design would have been to pass the actual Id Token to the >>> backend application so that the backend application can actually >>> verify the identity signature on the JWT so that someone can’t just >>> fabricate arbitrary identity information. I would think this could >>> work in concert with an application plugin that could consume these >>> tokens and validate and make the identity information available to >>> the application in a trustworthy manner. >>> >>> -Jason >>> >>> On 5/13/16, 8:00 AM, &quot;keycloak-user-bounces(a)lists.jboss.org >>> <mailto:keycloak-user-bounces@lists.jboss.org> on behalf of Guy >>> Bowdler" <keycloak-user-bounces(a)lists.jboss.org >>> <mailto:keycloak-user-bounces@lists.jboss.org> on behalf of >>> guybowdler(a)dorsetnetworks.com >>> <mailto:guybowdler@dorsetnetworks.com>> wrote: >>> >>>> Hi, >>>> >>>> We've got the Keycloak Security Proxy (official one - >>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html) >>>> running and passing to an nginx proxy which is in turn proxying out >>>> different apps, ie: >>>> >>>> [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse >>>> Proxy] >>>> ------> [application] >>>> >>>> Where [] denotes a different box, the ProxyBox is hostname.domain and >>>> the apps are published as hostname.domain/appname >>>> >>>> >>>> However, the client is able to access the application without >>>> authentication, we have clients and roles set up in keycloak and the >>>> config looks ok (although obviously isn't!) >>>> >>>> Are there any KeyCloak Proxy logs we can look at, or debugging >>>> options? >>>> I haven't found any as yet andnothing is jumping out of the config. >>>> >>>> We can access the back end apps ok either from the Keycloak proxy >>>> running on ports 80 or 443 or via the nginx proxy on 8080 (and >>>> yes, this >>>> latter connection will be restricted to localhost when it's working!). >>>> The keycloak proxy config is very similar to the default except the >>>> values from the keycloak installation GUI have been pasted in. >>>> >>>> Any troubleshooting tips would be much appreciated! >>>> >>>> thanks in advance:) >>>> >>>> Guy >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user